As organizations explore and define their cloud strategy, they readily identify the expected benefits including reduced capital investment, improved geographic diversity, scalability, agility, and performance. What the cloud can bring to a given scenario varies, but most organizations can find some clear-cut benefits. So, what are the challenges?
Any system or device connected to a network can be compromised and, if the data is sensitive, the reputation and economic risks grow for the data owner. Cloud-hosted solutions offer both hardware and software on demand over the Internet. Since they are provided over the Internet, the systems themselves are subject to attack. It is only through well-constructed controls that data and systems can be safe.
Public cloud providers know keeping their cloud secure is essential to ensuring efficiency and maintaining the credibility of their business. Cloud customers reap the benefits of the public cloud provider’s security but must recognize that they are in a shared security model where they own the risk scenarios associated with the applications and data they implement.
Exposure of sensitive information including personally identifiable information (PII), personal financial information (PFI) or personal health information (PHI) constitutes a data breach subject to fines and legal action.
Risks for an organization rise when they don’t review their risks and apply strong controls. Fortunately, public cloud providers offer cloud-based controls that can mitigate the risks incurred. Key areas that should be considered in a risk-based approach include:
Cloud-based identity management provides users with efficient access to applications, data and network services. One of the true benefits of public cloud providers can be the low-cost, rapidly deployed single sign-on and identity management solution that can be implemented. These identity management solutions are not just limited to applications hosted in the cloud provider’s space, but can also bring benefits to other application access offered by other software as a service or on-premise solutions.
Help desks become more efficient as users are no longer burdened with the need to reset passwords for users who had to remember separate User IDs and passwords for each system. The solutions also typically offer advanced security features like multi-factor authentication.
Public cloud providers offer the use of tools to grant the appropriate level of access to individual users. The recommended approach is to use the philosophy of “rights of least privilege” so that only resources with a need to access a resource, can access that resource. Ensuring data is classified provides the framework to deploy a rights management solution.
• Data Encryption in flight and at rest
Public cloud providers offer data encryption solutions for data in-flight and at rest on the provided storage. Encryption ensures that information cannot be easily monitored, viewed or improperly disclosed.
Cloud providers offer controls to isolate network segments to ensure data from other tenants is not accessible to or from other tenants. These include traditional concepts like firewalls, application firewalls, and network segmentation.
Monitoring assets provide the ability to collect performance and system utilization information proactively, monitor and audit system and device logs and, based on the information discovered, proactively respond to incidents with alerts or automated actions.
Many cloud providers offer security monitoring solutions to allow customers to monitor for unusual network traffic or connections with known bad players and alert administrators or automatically block the known bad traffic.
• End Points
Most organizations leverage user’s mobile communications capabilities to connect to cloud solutions from anywhere. Devices whether owned by the enterprise or end user-owned (BYOD), often exist outside the protection of internal company controls and therefore additional controls should be considered for these devices. Enterprise mobility solutions apply controls to devices to increase their safety.
There is no single formula to dictate an acceptable level of security. The security deployed must be aligned with regulatory requirements, the application architecture and an individual organization’s tolerance for risk balanced against cost. Building a cloud security strategy requires a thoughtful approach to select protections, monitoring, and governance needed to reach a level of acceptable risk.